Case Study: Omni American Bank Takes on Data Loss PreventionWhen a Dallas, TX bank needed some help to stop unauthorized data, it pulled out the biggest guns it could locate to stop the data leaking out of its networks.
The choice was a natural progression of what the bank was already doing to stop data loss, according to Omni American Bank's Chief Information Officer Tony Lippert, who says the bank wanted to have "more visibility into our data. We wanted to know how our data was being used and where it was going."
The bank chose Websense (www.websense.com) to provide a data loss prevention solution. Data loss prevention (DLP) refers to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders.
The Road to Data Loss Prevention
Omni American Bank, situated in the Ft. Worth/Dallas, TX area has a customer base of 86,000 and more than $1 billion in assets, with 17 locations in the Dallas metro area. The bank is overseen by the Office of Thrift Supervision.
Omni American had already been using several products such as content filtering and a URL filter product at the bank. The move to DLP added an additional layer of security for the bank, Lippert says. "We wanted to take a view of our security and data in a holistic approach in how the data is being used because one of the biggest assets of a bank is its data, and we wanted to protect it."
Omni American looked for a DLP solution that would show "where the data is at, where it is headed and every place in between," Lippert notes. With the DLP solution in place, the bank can now see how the data is being used, by whom, "and we can control who sees the information and who they can send it to," Lippert says.
The DLP solution even will stop information being sent to unencrypted sites, Lippert says. "When we send something to FISERV, we send it via FTP. Based on the rule set, if the site we're sending to isn't encrypted or it is vulnerable, then the DLP solution won't allow the FTP site to send the packet of information."
There are things that it can't stop, such as incoming sensitive information. "While we can't stop a customer from sending us sensitive account numbers or their social security number in an email, this DLP solution will stop the customer representative from replying back to them with that information in their reply," he observes. The outgoing message will be immediately stopped, and an alert will be sent to the information security department so the information security department can put the alert in its incident response program.
The information security department then notifies the person and their manager to let them know that a message has been stopped. "We then tell them the steps to take so it won't happen again, such as 'create a new email instead of replying directly to the email,'" he says.
This DLP solution covers every data point, including CDs, USBs, but Omni American uses other encryption methods other than this solution, "This way we have several other layers that prevent access to USB ports and drives," Lippert explains.
Omni American had been thinking about adding a data loss prevention solution and saw the market was maturing. "We didn't have to go through much of a vetting process. It wasn't a hard decision to make, the solution we chose allows us to monitor and manage the solution centrally. It was really a 'no brainer,'" says Lippert.
The DLP solution has also helped streamline many of the bank's exams. "It helps with our compliance program as well, because our examiners will come in and ask well how do you know that this system is protected? We can now print reports to show them. Documentation is something that every examiner looks for during an exam," he observes.
So how much of the data leaks at Omni American are intentional? "Most, if not all of the leaks are unintentional," says Lippert. "It has a lot to do with education and training of the end user and better data security practices. We've found that a lot of people outside of the IT area don't realize that email isn't secure." These employees don't realize when they send an email from the bank to an outside company that everything in between those two servers is insecure, which is why the majority of the leaks Lippert's team has seen thus far is similar to the customer service rep scenario described earlier.
Data leaks are now non existent at Omni American after they rolled out the solution about month ago. "We immediately caught some instances of data leaks, and we've realized that we have a lot of education and training to do, but the leaks are gone," notes Lippert.
Omni American has hired a Chief Information Security Officer, who Lippert says is in the midst of building a more in-depth information security awareness program. They have already begun by offering weekly training for IT staff on the information security program, and in a month the organizational wide training will begin.
Lippert sees the expansion of the bank's annual information security training session as key to raising the whole organization to a higher level of awareness. His philosophy is stated simply, "Your security program is only as good as the people you have running it, and your awareness program is only as good as the people who buy into it and the adoption of it by the whole organization. If you have 400 employees watching over the data, that's a better number than have the staff of three in the information security department looking out for it."